Red October Cyber Espionage Campaign Hits Global Governments

A major cyber espionage campaign, believed to have been carried out by a Russian-speaking organisation, has hit governments across the world.

For at least five years, a team of hackers has been carrying out a major cyber espionage project on embassies and other government bodies, Kaspersky Lab revealed today.

The Red October initiative, named by Kaspersky, remains active today and focused on siphoning data out of agencies, with Russia seemingly the main target.

The attackers were able to steal information from a range of devices, including PCs, iPhones and other smartphones, enterprise network gear, such as Cisco’s, and removable hard drives.

Russian cyber espionage

As for the Russian connection, Kaspersky had various pieces of evidence all but proving the link.

“[Based] on registration data of C&C servers and numerous artefacts left in executables of the malware, we strongly believe that the attackers have Russian-speaking origins,” Kaspersky Lab said, in a blog post.

When looking at what was dropped after initial infection, Kaspersky found a command to switch the codepage, or character encoding, of an infected system to ‘1251’. “This is required to address files and directories that contain Cyrillic characters in their name.”

Cyrillic is a script used in various Eastern European nations and former USSR satellite states, including Russia, Belarus, Bosnia and Herzegovina, Bulgaria, Serbia, Tajikistan and Ukraine.

Yet Vitaly Kamluk, chief malware analyst at Kasperksy Lab, told TechWeekEurope there was no “strict evidence” a nation state was behind the campaign. But it was one of the most targeted campaigns seen to date – more so than the Flame and Gauss cyber espionage campaigns that were last year revealed to have hit government bodies.

“In Red October, the attackers seem to be hunting for specific organisations. They are interested in high-quality, high-profile information,” Kamluk said.

“That explains why the number of infected machines is so low – just over 300 machines… but every target was specifically selected. What makes this attack different from Flame and others is that every attack was planned very carefully.

“They shaped every attack attempt very carefully, and even created specific modules for targets. Not all the targets received the same binaries.

“Inside the malware, you can find a user ID, which actually shows it is a specific piece of malware compiled for a specific [target].”

Yet the hackers did not bother with creating their own exploit code. Instead, they borrowed known code that was made public following attempts to spy on Tibetan activists, which had “Chinese origins”, Kaspersky said.

Russia appeared to be the main target, as it was home to 35 systems infected with at least one module of the relevant malware. Kazakhstan had 21, whilst Azerbaijan, Belgium and India had 15 each. There were none in the UK.

The attackers sought to infect various government bodies, embassies in particular. Looking deeper into the figures, Kaspersky said government research institutes in Russia, Belarus and Kazakhstan, as well as foreign embassies in Russia, Iran and Ireland were all hit. Nuclear and energy groups, and military bodies in Russia and Kazakhstan were victims too.

Infection numbers are likely to be higher, as the data was taken from Kaspersky’s AV network, which will only cover its own customers.

Hyper-targeting

The Red October group used standard targeted attack methods to infect systems. First, they sent over specially-crafted emails to dupe the target into unwittingly downloading malware, in what is known as spear-phishing, by clicking on attached Microsoft Word and Microsoft Excel containing malicious code.

Additional modules were then uploaded from the command and control (C&C) server, including ones that dealt with smartphone infections. Infections did not actually reach iPhones, but data was pilfered from iTunes, which syncs with Apple’s smartphone. Windows Phones were directly infected, however.

The spyware attempted to steal data from various cryptographic systems, including one used by used by different bodies within the European Union, European Parliament and European Commission since the summer of 2011.

The attackers hid their activity in a number of ways. First, by setting up a command and control (C&C) infrastructure where 60 domain names were created and servers, located in different countries, were used. The Red October team hid the location of the “mothership control server”.

Various files were implanted in victims’ machines too, but the most cunning innovation came in the form of a special module that allowed hackers to re-infect machines after they had lost contact with the victim.

“This campaign has a lot of unique modules and this one is one of them. It is installed as a plug-in for Microsoft Office or Adobe Reader,” explained Kamluk.

“The module waits for a specific file to be opened. It is not a file which has any kind of vulnerabilities in it… but it has a special digital tag that is verified by the plug-in.

“If the tag matches the signature of the attacker then they will try to extract an embedded, encrypted executable from the document and will try to run it in the system.”

When a user deleted other modules from their machines, cutting themselves off from the C&C, the file would be sent to the target in an attempt to infect them again. As the file contains no malicious code, it would bypass anti-virus systems, or other protections, every time.

Kaspersky uncovered 1000 different malicious files related to over 30 modules during its investigation.

Regardless of whether the Red October attacks were state-sponsored or carried out by a gang wanting government data, they hint at a new level of targeting and malware sophistication in the cyber world.

Nearly a quarter of IT managers simply don’t know how secure their website is.1 However, with the number of web-attacks blocked per day rising from 190,370 to 247,350 between 2011 and 2012, it’s vital for businesses to understand the part their website plays in the distribution of malware to clients, customers and the wider online […]

This white paper will help network and cybersecurity teams understand the things they can and should demand from NGFWs: • Built-in high availability and load balancing for operational resilience and handling growing data loads. • Contextual security that provides fine-grained access control to reduce risk and manage usage. • Automated, advanced evasion detection that can […]

The advent of the Internet has resulted in an ever-expanding data ecosystem. Unfortunately, this has also led to an increase in data breaches and identity theft. While attackers are still motivated by crime (to gain money), politics (to gain power and influence), and espionage (to gain market advantage), they also want to steal your information […]

Akamai’s globally-distributed Intelligent Platform allows us to gather massive amounts of data on many metrics, including connection speeds, attack traffic, network connectivity/ availability issues, and IPv6 adoption progress, as well as traffic patterns across leading Web properties and digital media providers. Each quarter, Akamai publishes the State of the Internet Report.

Apologies if the article is not clear enough – perhaps it should have mentioned the term ‘alphabet’ somewhere, but I have faith in our readers.

Cyrillic is clearly used as the basis for alphabets in a number of countries. It is the third official script of the European Union. So, umm, it is a script used in Eastern European nations and former USSR satellites states.